🐛 fix Docker remediations for unpinned GHA dependencies #4131
Conversation
Previously, as both the check for unpinned dependencies in GitHub Actions and the check for unpinned Docker dependencies contribute to d.Dependencies, the loop that created remediations for Docker dependencies would also create try to create Docker remediations for the unpinned GitHub Actions dependencies. This could get really slow, especially when scanning a repo with many GitHub Actions such as https://github.com/apache/beam. Signed-off-by: Arnout Engelen <arnout@bzzt.net>
raboof
force-pushed
the
fix-pinned-dependency-spurious-remediations
branch
from
789b16e
to
fcdfdb7
Compare
raboof
force-pushed
the
fix-pinned-dependency-spurious-remediations
branch
from
fdd03b2
to
fa6b0df
Compare
Signed-off-by: Arnout Engelen <arnout@bzzt.net>
raboof
force-pushed
the
fix-pinned-dependency-spurious-remediations
branch
from
fa6b0df
to
0a2dcf0
Compare
raboof
requested review from
naveensrinivasan and
raghavkaul
and removed request for
a team
There was a problem hiding this comment.
In the context of how the code works now, I think this change seems reasonable.
How did the speed-up look on your end? Is there still need for improvement, we can try to get rid of the quadratic behavior currently exhibited as the code iterates over dependencies multiple times, which for large projects like the ASF may take a lot of time still.
These functions are all called from
scorecard/checks/raw/pinned_dependencies.go
Lines 36 to 63 in 5447253
So collectGitHubActionsWorkflowPinning identifies workflow deps W1, W2, and W3 via validateGitHubActionWorkflow and then cycles through them.
Then collectDockerfilePinning identifies docker images D1, D2, and D3, and via validateDockerfilesPinning, and then cycles through W1, W2, W3, AND D1, D2, and D3.
This continues with collectDockerfileInsecureDownloads, collectShellScriptInsecureDownloads, and collectGitHubWorkflowScriptInsecureDownloads.
This could be fixed by changing where we append to the the final dep slice, and iterating over temporary slices, but if its not worth the effort we don't need to do it yet.
|
/scdiff generate Pinned-Dependencies |
Faster is always better, and I haven't done any further profiling, but I suspect the bottlenecks will be elsewhere now.
These don't iterate over the |
Signed-off-by: Arnout Engelen <arnout@bzzt.net>
raboof
force-pushed
the
fix-pinned-dependency-spurious-remediations
branch
from
4a1c34f
to
1d01c01
Compare
Fantastic. Thanks for catching this!
I did a quick and dirty test to avoid going over the GHA deps again in |
|
/scdiff generate Pinned-Dependencies |
spencerschrock
temporarily deployed
to
integration-test
GitHub Actions
Inactive
What kind of change does this PR introduce?
Bug fix
What is the current behavior?
As both the check for unpinned dependencies in GitHub Actions and the check for unpinned Docker dependencies contribute to d.Dependencies, the loop that created remediations for Docker dependencies would also create try to create Docker remediations for the unpinned GitHub Actions dependencies.
This could get really slow, especially when scanning a repo with many GitHub Actions such as https://github.com/apache/beam.
What is the new behavior (if this is a feature change)?**
Only create Docker remediations for Docker dependencies (and similar for GitHub workflow remediations)
Which issue(s) this PR fixes
NONE
Special notes for your reviewer
Does this PR introduce a user-facing change?
For user-facing changes, please add a concise, human-readable release note to
the
release-note(In particular, describe what changes users might need to make in their
application as a result of this pull request.)